From: sashiko-bot@kernel.org
To: "Jinmo Yang" <jinmo44.yang@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers
Date: Sun, 17 May 2026 15:45:10 +0000 [thread overview]
Message-ID: <20260517154510.D1338C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260517135215.2220117-5-jinmo44.yang@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The patch provides an incomplete fix for out-of-bounds reads caused by short HID reports. It adds length checks for `WACOM_24HDT` and `WACOM_27QHDT`, but misses the exact same vulnerability in numerous other device handlers called by `wacom_wac_irq()`.
--
commit 46cbf4294f0d1877c7d3c2555971c064f005babf
Author: Jinmo Yang <jinmo44.yang@gmail.com>
HID: wacom: validate report length for 24HDT and 27QHDT handlers
This commit adds length checks to wacom_wac_irq to prevent out-of-bounds
reads for WACOM_24HDT and WACOM_27QHDT devices when they receive short HID
reports.
> diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
> index 269e8318f79af..2fd1c4e80a72b 100644
> --- a/drivers/hid/wacom_wac.c
> +++ b/drivers/hid/wacom_wac.c
> @@ -3509,7 +3509,14 @@ void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len)
> break;
>
> case WACOM_24HDT:
> + if (len < 62)
> + return;
> + sync = wacom_24hdt_irq(wacom_wac);
> + break;
> +
> case WACOM_27QHDT:
> + if (len < 64)
> + return;
> sync = wacom_24hdt_irq(wacom_wac);
> break;
While this prevents out-of-bounds reads for WACOM_24HDT and WACOM_27QHDT,
are there other device handlers in this switch statement that also need
report length validation?
For example, handlers like INTUOSP2_BT, REMOTE, INTUOS, and PENPARTNER
appear to process reports without validating the buffer length.
Looking at wacom_intuos_pro2_bt_irq(), it receives the length but seems to
unconditionally call wacom_intuos_pro2_bt_pen():
wacom_wac_irq() -> wacom_intuos_pro2_bt_irq() -> wacom_intuos_pro2_bt_pen()
Does this allow wacom_intuos_pro2_bt_pen() to read up to data[107] without
validating the buffer size?
Similarly, does wacom_remote_status_irq() read up to data[30] to populate
remote serial numbers without checking the length?
Could a malicious device sending short reports still trigger regressions
like slab-out-of-bounds reads or information leaks to userspace through
these other handlers?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260517135215.2220117-1-jinmo44.yang@gmail.com?part=4
prev parent reply other threads:[~2026-05-17 15:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 13:52 [PATCH 0/4] HID: wacom: add report length validation in irq handlers Jinmo Yang
2026-05-17 13:52 ` [PATCH 1/4] HID: wacom: validate report length for PL and PTU handlers Jinmo Yang
2026-05-17 14:22 ` sashiko-bot
2026-05-17 13:52 ` [PATCH 2/4] HID: wacom: validate report length for DTU handler Jinmo Yang
2026-05-17 14:47 ` sashiko-bot
2026-05-17 13:52 ` [PATCH 3/4] HID: wacom: validate report length for DTUS handler Jinmo Yang
2026-05-17 15:19 ` sashiko-bot
2026-05-17 13:52 ` [PATCH 4/4] HID: wacom: validate report length for 24HDT and 27QHDT handlers Jinmo Yang
2026-05-17 15:45 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517154510.D1338C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jinmo44.yang@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox